CVE-2015-10004: robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

December 28, 2022 (updated December 30, 2022)

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

References

github.com/advisories/GHSA-5vw4-v588-pgv8
github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
github.com/robbert229/jwt/issues/12
nvd.nist.gov/vuln/detail/CVE-2015-10004
pkg.go.dev/vuln/GO-2020-0023

Detect and mitigate CVE-2015-10004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →